Age | Commit message (Collapse) | Author | Files | Lines |
|
This required reworking the auth_sam code, so that it would export the
'name -> server_info' functionality. It's a bit ugly from a modular
point of view, but it's what we have to do...
Fix up some of the code to better use the new talloc()
Andrew Bartlett
(This used to be commit 18e08b4497ebabc2f31210254e145458b7c6a198)
|
|
not Microsoft). Unfortunetly it's harder to fix Samba3 than to make
Samba4 cope...
Andrew Bartlett
(This used to be commit bbd52ab2641d5d6fc184235ac838ce4a022174a9)
|
|
skipping 'bad encryption type'.
Andrew Bartlett
(This used to be commit 4efb87eb03acfa888d455e4ca0aff18bda7f7ba5)
|
|
Andrew Bartlett
(This used to be commit 9f19aae0c0812b156054385ef77785971488e21c)
|
|
were also gensec bugs that didn't turn up until we hit error paths in
the krb5 code.
Andrew Bartlett
(This used to be commit e08366ffeb52e8c522d3808a2af1aa0bc632b55f)
|
|
ensure we don't segfault on the cleanup from an incomplete schannel
bind.
Andrew Bartlett
(This used to be commit 173f29a1d8db111d5adb258eead5379d681d3bb2)
|
|
connection
metze
(This used to be commit 30aa8af04498d674dbcf428a9e62df9055f53ea2)
|
|
though to the sign/check_sig functions.
Andrew Bartlett
(This used to be commit 18367c4235cf16f3c2fee003153ec9b19b02aa9b)
|
|
of associated functions.
The motivation for this change was to avoid having to convert to/from
ucs2 strings for so many operations. Doing that was slow, used many
static buffers, and was also incorrect as it didn't cope properly with
unicode codepoints above 65536 (which could not be represented
correctly as smb_ucs2_t chars)
The two core functions that allowed this change are next_codepoint()
and push_codepoint(). These functions allow you to correctly walk a
arbitrary multi-byte string a character at a time without converting
the whole string to ucs2.
While doing this cleanup I also fixed several ucs2 string handling
bugs. See the commit for details.
The following code (which counts the number of occuraces of 'c' in a
string) shows how to use the new interface:
size_t count_chars(const char *s, char c)
{
size_t count = 0;
while (*s) {
size_t size;
codepoint_t c2 = next_codepoint(s, &size);
if (c2 == c) count++;
s += size;
}
return count;
}
(This used to be commit 814881f0e50019196b3aa9fbe4aeadbb98172040)
|
|
- pass functions to the subcontext in spnego
metze
(This used to be commit d02fab41f8261095ca8f9a819e0c25bef41b5807)
|
|
taking a context (so when you pass a NULL pointer you end up with
memory in a top level context). Fixed it by changing the API to take a
context. The context is only used if the pointer you are reallocing is
NULL.
(This used to be commit 8dc23821c9f54b2f13049b5e608a0cafb81aa540)
|
|
(This used to be commit 278cef77f083c002d17ecbbe18c20825a380eda3)
|
|
(This used to be commit 4aba6e7101041100f7d400abd5e7144b95528fc3)
|
|
connection termination cleanup, and to ensure that the event
contexts are properly removed for every process model
- gave auth_context the new talloc treatment, which removes another
source of memory leaks.
(This used to be commit 230e1cd777b0fba82dffcbd656cfa23c155d0560)
|
|
library are closed on abnormal termination
- convert the service.h structures to the new talloc methods
(This used to be commit 2dc334a3284858eb1c7190f9687c9b6c879ecc9d)
|
|
(This used to be commit b378aae95d4001c4cf4e6e59ed80ee1bd55382ee)
|
|
also fixes a memory leak found with --leak-check.
(This used to be commit f19201ea274f0a542314c61c4af676197bf154ad)
|
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|
|
fixed - I'll commit a little test suite soon.
(This used to be commit 5b967c1cbb9831f7f2c6c6187f9e8e6dcc284497)
|
|
The intial motivation for this commit was to merge in some of the
bugfixes present in Samba3's chrcnv and string handling code into
Samba4. However, along the way I found a lot of unused functions, and
decided to do a bit more...
The strlen_m code now does not use a fixed buffer, but more work is
needed to finish off other functions in str_util.c. These fixed
length buffers hav caused very nasty, hard to chase down bugs at some
sites.
The strupper_m() function has a strupper_talloc() to replace it (we
need to go around and fix more uses, but it's a start). Use of these
new functions will avoid bugs where the upper or lowercase version of
a string is a different length.
I have removed the push_*_allocate functions, which are replaced by
calls to push_*_talloc. Likewise, pstring and other 'fixed length'
wrappers are removed, where possible.
I have removed the first ('base pointer') argument, used by push_ucs2,
as the Samba4 way of doing things ensures that this is always on an
even boundary anyway. (It was used in only one place, in any case).
(This used to be commit dfecb0150627b500cb026b8a4932fe87902ca392)
|
|
away the string as a data blob to be put in the buffers later.
This also avoids a length-limited push_str, moving to push_ucs2_talloc().
Andrew Bartlett
(This used to be commit 69163500e0b577f19d1ffeea87f08e05539f5bcc)
|
|
btw, the reason I want to use strncasecmp() instead of StrnCaseCmp()
is that the Samba internal functions are built to deal with
multi-byte, whereas in the cases I am converting we know we are
dealing with solely ascii string constants, so going via the slow
conversion libraries is pointless.
(This used to be commit cef08d5789277bdaa25d5bf0e7cfca8615230f1b)
|
|
registration code
(This used to be commit bcf9d787d6bced4c4482fa3e51ccea258563d89e)
|
|
"gensec:ntlmssp=no" will disable ntlmssp.
(This used to be commit 66f88c7d89154155b27bf8b7839c580fb1cd1e7c)
|
|
--option 'gensec:krb5=no'
or put "gensec:krb5 = no" in smb.conf
Given the frustration I've had with kerberos I was very tempted to name
this option --nfk, but resisted the temptation
(This used to be commit 2d710a5eb5b36e46fa8f652305fa9ab2e09e02f3)
|
|
metze
(This used to be commit 9177cd4285315175913aa2c9359f1173fa7d6eb7)
|
|
metze
(This used to be commit 75c3108955bab44ffda308406bae153e3a92cedf)
|
|
but do not support SPNEGO (such as XP, when not joined to a domain).
This is triggered by the presense or lack of a security blob in the
negprot reply.
Andrew Bartlett
(This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
|
|
line. This makes testing much easier.
(This used to be commit 0a4723d250ba13e6374700fc6e80854ec6a3eddc)
|
|
NTLM sign
NTLM sign+seal
NTLM2 sign
NTLM2 sign+seal
and all of the above both with and without key exchange
the NTLM2 seal case is ugly and involves an extra data copy, which
some API changes in gensec or the ndr layer might avoid in future.
(This used to be commit fce7a4218b3136d880dd1a123e8525e3091bbed8)
|
|
'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
(This used to be commit b80d849b6b586869fc7d3d4153db1a316f2867a9)
|
|
These fixes aim particularly at allowing PAC-less logins, as I don't
yet generate a PAC in the lorikeet-heimdal KDC.
This is for the benifit of a Kerbeors-enabled domain join, which seems
to be progressing quite well!
Andrew Bartlett
(This used to be commit f5a381094dd5bcbd795a134bc4b8b89901b5e3eb)
|
|
(This used to be commit 2c701f59a7f232fed624f7cec62dd494dd32c2d9)
|
|
This means that 'require NTLMv2 session security' now works for RPC
pipe signing. We don't yet have sealing, but it can't be much further.
This is almost all tridge's code, munged into a form that can work
with the GENSEC API.
This commit also includes more lsakey fixes - that key is used for all
DCE-RPC level authenticated connections, even over CIFS/ncacn_np.
No doubt I missed something, but I'm going to get some sleep :-)
Andrew Bartlett
(This used to be commit a1fe175eec884280fb7e9ca8f528134cf4600beb)
|
|
Clean up use of unitilaised variable.
Andrew Bartlett
(This used to be commit e8d0246882f0d70dc3c63208d0a990804f36a05d)
|
|
Andrew Bartlett
(This used to be commit 0237389ce765cbb6825b79de1b0727da0969efeb)
|
|
signed or sealed.
This allows NTLM2 for SMB connections, and NTLMSSP over HTTP for example.
Andrew Bartlett
(This used to be commit e509451538eb5fac5a288e2c429d8481dbfb355f)
|
|
krb5_locate_kdc is (yet) an unused function in Samba4.
Guenther
(This used to be commit fe93f58dfe208ec814f1e75efde4ececa2b2cb5f)
|
|
Andrew Bartlett
(This used to be commit 2cbbf123d26081687a15eb7b82738e8187153ba4)
|
|
currently get it bougs, but anyway...
Andrew Bartlett
(This used to be commit 46864dd9d778c008c2f1a3a6701360d4ca64a664)
|
|
(This used to be commit e1575a72a10252fdb88778f14bf3c44a65d72c5e)
|
|
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
|
|
now that talloc_free() doesn't need to take a context ptr, there is no
reason we can't use talloc everywhere that we currently use malloc().
(This used to be commit a2ad77fb3ac9638c5ef52494bf62083ec594b9f5)
|
|
metze
(This used to be commit 17268837d21c2199b87bd78c1f62b49a37b86df8)
|
|
(This used to be commit 7be7f25a57422fea3e763479629e18dc9a204aba)
|
|
metze
(This used to be commit fe655d047434422eae77486e5fd7fa51eb942677)
|
|
metze
(This used to be commit 5a3a10c004ee2c94c42f08d52b36c75b413bdb79)
|
|
metze
(This used to be commit 250485b69fbdd494bfd6c69bae94662e24fb0117)
|
|
there're some cleanups needed and we need to verify the PAC correctly
and create the auth_session_info correctly...
metze
(This used to be commit d8fe497097ee49611bb05c4a2fed36912d8e16b4)
|
|
Andrew Bartlett
(This used to be commit 0949b72645024a6810f447fe8acb643f98588ab3)
|